Channels

Services

PostgreSQL updates to close denial-of-service hole

A misdeclared enum_recv function within PostgreSQL meant that a simple SQL command was all that was needed to crash PostgreSQL. The hole, assigned the number CVE-2013-0255 for easy identification, could be used to examine the contents of server memory, at least in theory. The PostgreSQL developers have therefore announced the release of updates to PostgreSQL 9.2, 9.1, 9.0, 8.4 and 8.3 to fix the bug and close the hole.

According to the notes attached to Red Hat's bug report, the problem was an array index error that allowed an unprivileged user to issue a query which would, when the database retrieved the text of the relevant error message, cause an out-of-bounds heap-based buffer error.

The PostgreSQL 9.2 update also fixes a performance problem which manifested as a slow down in processing dynamic queries in stored procedures. The developers recommend that users who use the EXECUTE command, and are therefore affected by this regression, update. Also fixed are issues with intermittent crashes around the use of CREATE/DROP INDEX CONCURRENTLY.

The updates, PostgreSQL 9.2.3, 9.1.8, 9.0.12, 8.4.16, and 8.3.23, should be applied as soon as possible and do not require a dump/reload of the database. Release notes for all versions are available. Binary versions for FreeBSD, OpenBSD, RedHat/CentOS/Fedora/Scientific Linux, Debian, Ubuntu, SUSE, Mac OS X, Solaris and Windows, along with source code, are available to download.